And depending on DNSSEC probably does impair the ability of this to be
deployed. But if DoT can be used instead of DNSSEC, it seems to me
that this might be easier to deploy than MTA-STS.
But DoT and DNSSEC are unrelated. DNSSEC promises that the data you
got are the ones that the authoritative servers published, even though
someone might have snooped on the way. DoT promises that nobody
snooped and the data you got are the ones that the resolver, which may
be lying, sent.
You can have either without the other. If you want confidentiality
and integrity, you need both.
ietf-smtp mailing list